1866866 – PAM can't identify the user when running via gnome-terminal in an X session

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1866866 - PAM can't identify the user when running via gnome-terminal in an X session

Summary: PAM can't identify the user when running via gnome-terminal in an X session

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	8.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Iker Pedrosa
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-06 16:12 UTC by Akshay Sakure
Modified:	2024-10-01 16:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pam-1.3.1-13.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:59:51 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SSSD-2688	0	None	None	None	2023-11-09 02:13:50 UTC

Description Akshay Sakure 2020-08-06 16:12:15 UTC

Description of problem:
PAM can't identify the user when running via gnome-terminal in an X session

Version-Release number of selected component (if applicable):
pam-1.3.1-8.el8.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Install rhel8.2 with X/gnome
2. Create "testuser" user and set password
3. Configure "testuser" user in sudoers to be able to sudo without password: 
---
testuser        ALL=(ALL)	NOPASSWD: ALL
---

4. Congiure pam.d/sudo to verify the account based on group membership, for example
   Comment out : "#account    include      system-auth" and replace with:
---
account    sufficient   pam_wheel.so trust group=users debug
---

5. Add user to users group: usermod -G users testuser

6. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully

7. Issue "service start gdm" or "systemctl isolate graphical.target" and login as "testuser" 

8. Launch a terminal and try "sudo su" or any "sudo <command>" and you will get:
---
sudo: PAM account management error: Permission denied" instead.
---

9. Check the output of /var/log/secure, this is the output when run via a gnome-terminal X session and running "sudo su":
---
Jul 13 16:32:05 rhel8 sudo[22790]: pam_wheel(sudo:account): who is running me ?! 
Jul 13 16:32:05 rhel8 sudo[22790]: testuser : PAM account management error: Permission denied ; TTY=pts/2 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
---
   Similar issue is observed when user logins with 'su'.

Actual results:
PAM doesn't identify the user and sudo fails in X session.

Expected results:
PAM should correctly identify the user and sudo should work well in X session.

Additional info:
However, sudo works well in SSH session:
---
Jul 13 16:31:29 rhel8 sudo[22765]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Jul 13 16:31:29 rhel8 sudo[22765]: testuser : TTY=pts/3 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Jul 13 16:31:29 rhel8 sudo[22765]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jul 13 16:31:29 rhel8 sudo[22765]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
Jul 13 16:31:29 rhel8 su[22766]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jul 13 16:31:29 rhel8 su[22766]: pam_unix(su:session): session opened for user root by testuser(uid=0)
---

Comment 3 Tomas Mraz 2020-08-06 16:53:19 UTC

It is a side effect of the terminal windows not having a login session in /var/run/utmp anymore.

Perhaps a fallback to PAM_RUSER could be done.

And if that does not work the thing that is done for use_uid could be done as well with the exception if getuid() returns 0 as that would be suspicious.

Comment 4 Iker Pedrosa 2020-09-10 07:34:12 UTC

master:
    6bf9b454eb971083f0cce49faa2aa1cde329ff5d - pam_wheel: improve coding style
    9091ea1d81e85f49a221b0325d27b22ce69e444a - pam_wheel: if getlogin fails fallback to PAM_RUSER
    a3a5cbf86083c43026b558e2023f597530626267 - pam_wheel: clarify use_uid option in man page

Comment 11 shridhar 2020-12-03 10:45:32 UTC

tested against:
[testuser@localhost ~]$ rpm -q pam
pam-1.3.1-14.el8.x86_64

Logged in as testuser via Gnome.

[testuser@localhost ~]$ sudo -l
Matching Defaults entries for testuser on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on localhost:
    (ALL) NOPASSWD: ALL
[testuser@localhost ~]$ 

from /var/log/messages
Dec  3 05:42:57 localhost gdm-password][4687]: pam_unix(gdm-password:session): session closed for user testuser
Dec  3 05:42:57 localhost polkitd[885]: Unregistered Authentication Agent for unix-session:5 (system bus name :1.648, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec  3 05:43:01 localhost systemd[35180]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Dec  3 05:43:01 localhost gdm-password][35171]: pam_unix(gdm-password:session): session opened for user testuser by (uid=0)
Dec  3 05:43:03 localhost polkitd[885]: Registered Authentication Agent for unix-session:7 (system bus name :1.979 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec  3 05:43:22 localhost sudo[35832]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Dec  3 05:43:22 localhost sudo[35832]: testuser : TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=list
Dec  3 05:44:19 localhost su[35873]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
Dec  3 05:44:19 localhost su[35873]: pam_unix(su-l:session): session opened for user root by (uid=1001)


user is able to run the sudo command after logging in via GUI.

Comment 14 errata-xmlrpc 2021-05-18 14:59:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1649

Note You need to log in before you can comment on or make changes to this bug.